loading
Loading content
loading
Also known as Common Vulnerability Scoring System
The Common Vulnerability Scoring System rates a flaw on a 0 to 10 scale derived from base metrics like attack vector, attack complexity, privileges required, user interaction, and the confidentiality, integrity, and availability impact. The Base score captures intrinsic severity, while optional Temporal and Environmental metrics adjust for exploit maturity and how the flaw matters in a specific deployment. CVSS 4.0 refined the model, but most feeds still carry 3.1 vectors.
The score gives teams a common language to compare unrelated vulnerabilities and to set patch deadlines, which is why it appears alongside nearly every CVE and in the output of most vulnerability scanning tools.
Treat CVSS as a starting point, not a verdict. A 9.8 on an unreachable internal host can matter less than a 6.5 on an internet-facing login page, and a high base score means little until someone confirms a working exploit exists. Penetration testers weigh CVSS against real reachability and business context during a penetration testing engagement.
In a Trickest workflow you enrich scanner findings with CVSS vectors automatically, then filter and route the highest-severity reachable issues into alerts so triage starts with what carries the most risk.
Related terms